It wasn't a call we get every day.
A client that held highly valuable intellectual property at the core of their business had recently sourced a specialist network-connected device - from a supplier in a country known for aggressive industrial espionage.
Their question: Could this device be used as a backdoor?
They weren’t being paranoid. They knew the value of their IP, and they knew who might want it.
We worked closely with them to assess the risk. Together, we implemented technical controls to isolate the device and restrict its access to sensitive systems.
But then, the situation escalated.
Not long after the controls were put in place, an employee reported being approached by representatives of the same supplier. Their offer was blunt: cash in exchange for access to the company’s IP.
It was a stark reminder that insider threats don’t always unfold in obvious ways. They can surface through unexpected channels, often blending technical vulnerabilities with human factors. And they’re one of the more prevalent forms of security incident that Acumenis sees hitting Australian organisations.
Addressing these risks effectively requires a holistic approach that considers not just security architecture, but culture, awareness, and trust.
In this article, we explore why insider threats can be so difficult to detect, how ISO 27001 provides a framework to address them, and practical steps organisations can take to reduce their exposure.
What is an insider threat?
An insider threat refers to a security risk that originates from within the organisation. This could involve current or former employees, contractors, or suppliers who have – or once had – legitimate access to an organisation’s systems, data, or networks. Unlike external attackers, insiders can exploit their trusted status to bypass traditional security measures, making their actions harder to detect and prevent.
Insider threats can be:
Malicious –
where individuals intentionally cause harm, such as stealing data or sabotaging systems.
Negligent –
where well-meaning employees inadvertently create vulnerabilities through careless actions.
Compromised –
where insiders are manipulated or coerced by external actors to act against the organisation’s interests.
Why insider risks are especially challenging
Insider threats are particularly dangerous because they often blend in with normal activity, evade traditional detection tools, and are masked by trust and familiarity within the organisation.
A compromised employee might exfiltrate data slowly over time. A well-meaning staff member might unknowingly introduce risk by using unauthorised tools or sharing sensitive information. And in many cases, the warning signs – if they exist at all – are behavioural rather than technical.
To address the complexity of insider risks, organisations need more than just monitoring tools; they need a structured, risk-based approach.
For organisations that are aligned with ISO 27001, the standard provides exactly that: a comprehensive framework for identifying, prioritising, and mitigating risks such as insider threats through a combination of governance, technical controls, and cultural awareness.
ISO 27001 as a Risk-Based Framework
ISO 27001 defines a risk-based approach to information security.
At the heart of the standard is the requirement to conduct a comprehensive risk assessment that identifies threats, vulnerabilities, and potential impacts to the organisation’s information assets. This includes evaluating the risk of insider threat - whether from employees, contractors, or third parties with legitimate access to systems and data.
By performing this assessment, organisations can identify specific types of insider threats that need to be addressed. As food for thought, some of the insider threats Acumenis have recently seen include:
Bribery attempts:
Employees at a Brisbane-based company were offered bribes to provide access to an organisation's IT systems and intellectual property.
Malicious past employees:
A former employee at a Gold Coast company retained access to a messaging platform, and used it to pilfer customers.
Negligent admins:
IT staff sending login details for a global admin account to an external party in plain text, raising the likelihood of account compromise.
Once risks are identified, ISO 27001 provides a catalogue of controls in Annex A, which can be layered as necessary to mitigate the risks effectively. The following are the most relevant controls from the 2022 revision that support insider threat management:
Key Annex A Controls to Address Insider Risk
Organisational Controls
A.5.1 - Policies for Information Security:
Establishes the foundation for acceptable behaviour and security expectations across the organisation.
A.5.3 - Segregation of Duties:
Reduces the risk of fraud or error by ensuring that critical tasks require more than one person to complete. This is essential for preventing abuse of power or privilege by insiders.
A.5.10 - Acceptable Use of Information and Other Associated Assets:
Defines how employees and contractors may use organisational assets, helping to prevent misuse.
A.5.18 - Access Rights:
Ensures that access rights are granted, reviewed, and revoked appropriately—critical for managing insider access.
People Controls
A.6.1 - Screening:
Conducts background checks to reduce the risk of insider threats before employment begins.
A.6.2 - Terms and Conditions of Employment:
Embeds security responsibilities into employment contracts.
A.6.3 - Information Security Awareness, Education and Training:
Builds a security-aware culture, reducing the likelihood of accidental insider incidents.
A.6.4 - Disciplinary Process:
Provides a formal mechanism to deter and respond to breaches of security policy, including insider misuse.
A.6.5 - Responsibilities After Termination or Change of Employment:
Ensures that access is revoked and responsibilities are clearly defined when roles change or employment ends.
Physical Controls
A.7.2 - Physical Entry:
Restricts physical access to sensitive areas, reducing the risk of unauthorised internal access.
A.7.4 - Protection Against Physical and Environmental Threats:
Includes safeguards against tampering or sabotage by insiders with physical access.
Technical Controls
A.8.2 - Privileged Access Rights:
Controls and monitors elevated access to prevent abuse by insiders with administrative privileges.
A.8.3 - Information Access Restriction:
Enforces the principle of least privilege, limiting access to only what is necessary. This control can be invaluable in limiting the blast radius of an incident.
A.8.12 - Data Leakage Prevention:
Implements measures to prevent unauthorised disclosure of sensitive information - whether intentional or accidental.
A.8.15 - Logging:
Captures user activity to detect suspicious behaviour and support investigations.
A.8.16 - Monitoring Activities:
Enables proactive detection of insider threats through continuous monitoring and alerting. Don't stick with default detection rules in your EDR/XDR platforms - think about what your insider threat scenarios would look like, and ways that you could best detect them. For example, attempts to access sensitive files, or downloading unusual numbers of files at a time.
Building a Resilient Insider Threat Program
By aligning your insider threat management strategy with ISO 27001, you can:
- Reduce the likelihood of insider incidents through proactive controls.
- Detect and respond to suspicious behaviour early.
- Prevent data loss and unauthorised disclosure through DLP technologies and policies.
- Foster a culture of accountability and security awareness.
Whether you're just beginning your ISO 27001 journey or refining an existing ISMS, focusing on these controls will significantly strengthen your organisation’s resilience against insider threats.
Need assistance?
If you would like assistance with addressing insider risk or implementing ISO 27001, we'd love to chat. We support organisations Australia wide, with specialists in Brisbane and Toowoomba.